My guess is: My app was running ok using 7.18 core. I read about a security upgrade about injection. So I upgrated to 7.19 core. And the problem started. I'm going to change back the core to 7,18.

nduong

Nam Duong, Red Hat, Inc.

Product Manager @ Red Hat - OpenShift (PaaS)

Posted January 22, 2013 at 12:28 PM

@interintrait, Thanks for the details!

derek@dgtlife

Derek Gransaull, DGTLife, LLC

Posted March 21, 2013 at 4:12 AM

I experienced this on a newly created Drupal app. I followed the OpenShift instructions to create a Drupal application, and when I went to the application URL I was disappointed. I got to the login page successfully, but there wasn't the standard Drupal admin theme nor dynamic admin interface behavior, that you would always see on a standard manual install. At first I thought it was a permissions issue, but after a bit of digging around, I checked the Inspector and realized that the .css and .js files were being blocked by Chrome and Chromium (but not by Safari, Firefox, or Opera).

I resolved this by simply going to the settings.php file and setting the $base_url to use https.

$base_url = 'https://myApplicationUrl';

To the folks in OpenShift Product Marketing:

I had no idea that OpenShift was enabling SSL by default for all Drupal (and all other?) apps. Normally, this is an optional step, at least on other hosting systems (and some folks even charge for it). I didn't see this in the instructions. But I like that OpenShift is bundling it in though. :-) However,

a. it is not a good first impression for things to not "just work" out of the box on a newly provisioned application, without even the slightest user customization. From my perspective, this suggests that this basic use case was not tested, yet the invitation to encounter it is out there in the wild.

b. you can have this working out of the box by simply modifying your build scripts to set the $base_url during provisioning.

I hope this helps folks who might otherwise dismiss OpenShift because "they can't even install and configure Drupal" properly.

Derek

sannam

Sumana Annam, Red Hat, Inc.

OpenShift (PaaS) Product Marketing Manager

Posted March 21, 2013 at 2:38 PM

Thanks for the feedback Derek. Due to a bug, Chrome browser would redirect http requests to https automatically. This should be fixed in Chrome26+

derek@dgtlife

Derek Gransaull, DGTLife, LLC

Posted March 21, 2013 at 9:20 PM

Thanks Sumana, for pointing to the Chrome bug.

Nevertheless, if it is true that OpenShift enables SSL by default as I saw here:

then informing the OpenShift user upfront (in the app creation wizard) that this is so will help them to understand the environment they will be in, and allow then to make the necessary adjustments to take advantage of that environment. I don't believe that Drupal 7 out-of-the-box is configured to use mixed HTTP/HTTPS nor HTTPS-only environments. Deliberate changes are necessary to do so. This post talks about this:

So I'll still hold OpenShift to the high expectations of either telling me that you're going to put my app into an env that has SSL enabled (promote your differentiators :-) and that it's up to me to configure my app to use or not it, or automatically configuring the app to use SSL and telling me that you've done so (and for my own benefit) and that it's up to me to make the necessary adjustments to put the app into an insecure mode. ;-)

Best,

Derek

nduong

Nam Duong, Red Hat, Inc.

Product Manager @ Red Hat - OpenShift (PaaS)

Posted March 22, 2013 at 2:20 PM

Thank you for your feedback Derek! Here's the bug report: https://bugzilla.redhat.com/show_bug.cgi?id=924883
Looking forward to the fix. Also looking forward to Chrome 26 since users want better control over when to use non-secure vs secure connections to apps. And of course developers wanting better control of supporting the same.

derek@dgtlife

Derek Gransaull, DGTLife, LLC

Posted March 22, 2013 at 4:51 PM

Thanks for the follow through Nam! I like the direction of OpenShift. And I like the responsiveness of the team so far.